MUP Drony Protect 3.

0 & Luck007

By
ColdFever
AoRE team
Abstract:
These two packers are using the same methods to protect the executable
file. When I say the “same” I really mean the exactly same method in the
exact order. I don’t know if they are from the same person. Anyhow, in this
tutorial you will learn how to unpack it.

Tools of the trade:

1. Ollydbg
2. ImpRec

Introduction:
At the beginning of the tutorial I will show you both targets, but I will
finish with one of them.

Part I:
Getting the dump

I loaded each target in different Ollydbg.

This is Drony’s EP

This is Luck007’s EP

I know different EP codes but still the same protection methods just
continue. ☺

Set a breakpoint on VirtualAlloc. Run the program and execute the

VirtuallAlloc call and take the return back to the user code. You should
stop here
This is in Drony’s case

This is in Luck007’s case

Déjà vu!!! Same exact Op-Codes.

From now, I will continue the tutorial on Luck007 which the exact same
steps for Drony. Scroll down all the way until you see the return and place
a hardware breakpoint on it

Run the program in Ollydbg and a message box will pop-up

Click “OK” and you should stop on the return address.

Trace with F7 or F8 and should be here
This is the jump to OEP. Trace with F7 and tack the jump

Now, use Ollydbg dump plug-in and change the Start Address, the Size,
and the OEP before you click “Dump”.

If you don’t know why we need the above the changes go find something
else to do with your time, “Cracking is not for you” LOL ☺
Part II:
Fixing the dump

I have already talked about similar case where we had to fix the IAT table
when ImpRec reads the wrong image base. See my tutorial on “Extracting
embedded file from within MoleBox Executables” for more clarifications.

Now, let’s get the IAT start and the size

RVA = 00460818 – 00570000 = FFEF0818

Size = 00460F28 – 00460818 = 710

Run ImpRec, select the program, place our values, and click “Get Imports”

We need to fix the IAT table before we could fix the dump. So, click “Save
Tree” and save it with any name. Open the text file in Notepad and use
the replace command to change the address
Save the changes in the text file. Now, click “Load Tree” in ImpRec and
load the text file

Everything is fine. So, click “Fix Dump” and it should work

Over ‘n’ Out

ColdFever
You can catch me @ AoRE forum or Snd Forum

Greetings:
To all my friends in AoRE Forum
Tuts4you, ARteam, Snd, CORE, TSRh, and all the cracking groups
To you for taking the time to read this ☺